[Emu] TEAP no EAP: which "error" for EAP methods that are not available?
Eliot Lear <lear@lear.ch> Sat, 08 October 2022 07:52 UTC
Return-Path: <lear@lear.ch>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11483C1524AA for <emu@ietfa.amsl.com>; Sat, 8 Oct 2022 00:52:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87v21rDwjaB0 for <emu@ietfa.amsl.com>; Sat, 8 Oct 2022 00:51:56 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C9AAC1522AD for <emu@ietf.org>; Sat, 8 Oct 2022 00:51:43 -0700 (PDT)
Received: from [192.168.0.130] (77-58-144-232.dclient.hispeed.ch [77.58.144.232]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 2987pelP1858993 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for <emu@ietf.org>; Sat, 8 Oct 2022 09:51:41 +0200
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1665215501; bh=mGoOYy+w/AQD7NbjhaTz2fIKqzGFM0F7ueA59Y9U460=; h=Date:To:From:Subject:From; b=C8nuc9EY3y9DEOFwR6iavZvATVAv5XBijyGdg+g2rELh+DUOeD5/tF9i76/xUp8C+ nqAOsDY7JwQLqnbcq92nfUGY0OprbfQtLnWWSHxQvRDXVZ1LBqeswt4b+bwTs8isJT PV7PhQW30gimcc/j8ontCzv8O2NRQfVfSzSEudlk=
Message-ID: <e7b9c59b-d98f-7683-c8aa-a405c1c86c1f@lear.ch>
Date: Sat, 08 Oct 2022 09:51:40 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.13.1
Content-Language: en-US
To: EMU WG <emu@ietf.org>
From: Eliot Lear <lear@lear.ch>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------HjIqssFTw00FBIOQymIH3OJN"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/dXzlpWojfBJQmlxL_OiyVOSLIew>
Subject: [Emu] TEAP no EAP: which "error" for EAP methods that are not available?
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2022 07:52:01 -0000
&TL;DR what to do when peer doesn't want to do an inner EAP method, but you still want to allow peer on the network? My answer: intermediate-result TLV with status=failure. One potential use case is when you have some devices that support individual users and some that do not. In this case, the server might request an inner EAP method such as MSCHAPv2. This would work fine for a laptop but not so well for a lightbulb. The server may yet wish to make a policy decision to allow the lightbulb onto the network, even though it made use of no inner method. RFC 7170 ponders this use case in Section 3.3.1: The result of failure of an EAP method does not always imply a failure of the overall authentication. If one authentication method fails, the server may attempt to authenticate the peer with a different method. What is less clear is what to do when no EAP method is available. There are three choices: 1. Send a NAK TLV 2. Send an Error TLV 3. Send an intermediate result TLV with status = failure. A NAK TLV seems to contemplate TLVs that are simply *not* implemented. I don't think that's the correct answer, but so long as the server understands that the peer means "don't send me no stinking EAP TLVs" and can intelligently apply policy, no big deal. Still, I think that's not a good general answer. It's possible that both the peer and the server could implement something like EAP-AKA, but that the server doesn't have access to the necessary credential information of the client, and may still want to allow the client online. Section 3.6.3 states the following about using an Error TLV with an inner method: If there is a non-fatal error handling the inner method, instead of silently dropping the inner method request or response and not responding, the receiving side SHOULD use an Error TLV with error code Inner Method Error to indicate an error processing the current inner method. The side receiving the Error TLV MAY decide to start a new inner method instead or send back a Result TLV to terminate the TEAP authentication session. But this seems to be applicable when the inner method is already started. Also, this seems to stretch the definition of what an "Error" is. That militates against the SHOULD above, right? Finally, the peer could simply respond with an Intermediate-Result-TLV with Status=Failure. This seems to be the most straightforward way of responding, and it seems to be what was intended with the text I quoted from Section 3.3.1. One might want to provide the EAP TLV as an optional TLV in the Intermediate-Result, but one seemingly cannot because because the Intermediate-TLV text reads the following in Section 4.2.11: The TLVs in this field MUST NOT have the mandatory bit set. I don't understand this, but there it is. It spares me having to determine whether one is supposed to include just the TLV code in that space or the T, L, and V. And this same question recurs with Request-Action TLVs. Fortunately, in that context it makes more sense that only the type code is necessary, and this is indeed the practice that wpa_supplicant has followed. If it seems to you like we're building up a little bit of an issue list for a TEAP update.... you'd be right ;-) Eliot